Security Basics Lesson 16 – Secure Network Architecture | Dataplexa

Security Basics

I. Core Security Fundamentals
1. What is Cybersecurity 2. Why Cybersecurity Matters 3. Types of Cyber Threats 4. Vulnerabilities, Risks & Exploits 5. CIA Triad 6. Authentication vs Authorization 7. Security Policies & Procedures 8. Defense in Depth 9. Security Best Practices 10. Introduction to Security Careers
II. Systems, Network & App Security
11. OS Security Basics 12. Linux Security Fundamentals 13. Windows Security Fundamentals 14. Network Security Basics 15. Firewalls & Access Control 16. Secure Network Architecture 17. Application Security Basics 18. Web Security Fundamentals 19. Security Misconfigurations 20. Security Hardening Basics
III. Threats, Attacks & Prevention
21. Malware Types & Analysis 22. Phishing & Social Engineering 23. Password Attacks & Protection 24. Insider Threats 25. Denial of Service Attacks 26. Man-in-the-Middle Attacks 27. Web Application Attacks 28. Data Breaches & Case Studies 29. Security Monitoring Basics 30. Incident Response Introduction
IV. Governance, Risk & Real World
31. Risk Management Basics 32. Security Compliance Overview 33. ISO 27001 Fundamentals 34. SOC & Security Operations 35. Logging & Auditing 36. Security Tools Overview 37. Cloud Security Basics 38. Security Automation 39. Security Best Practices Checklist 40. Mini Project – Security Assessment
Section II · Lesson 16

Secure Network Architecture

Secure network architecture is the practice of designing how systems connect to each other — and critically, how they don't. A flat network where every machine can talk to every other machine is an attacker's ideal environment. One compromised workstation and they can reach the database server, the domain controller, the backup system — everything. Good architecture contains that blast radius before the breach even happens.

This lesson covers

Why flat networks fail → Network segmentation and VLANs → DMZ design → Zero Trust architecture → Configuring VLANs in practice → How attackers move laterally → What a hardened architecture looks like

Why flat networks are dangerous

A flat network is one where all devices share the same network segment — no internal boundaries, no separation between the finance department and the IoT thermostats, no distinction between the public-facing web server and the internal HR database. Everything can reach everything else.

In 2013, Target's breach spread this way. The HVAC contractor's compromised credentials gave access to one system. Because the network was flat, that one system could communicate directly with the point-of-sale servers. The attackers pivoted across in hours. Had the network been segmented — had the vendor management system been isolated from the payment infrastructure — the breach would have stopped at the first wall.

This movement from one compromised system to other systems on the same network is called lateral movement — and it's the phase where most breaches do their real damage. The initial compromise is often a low-value target. The lateral movement is how attackers reach the crown jewels.

Network segmentation and VLANs

Network segmentation means dividing a network into isolated zones — each zone containing systems with similar trust levels and communication needs. Traffic between zones must pass through a firewall or router that enforces rules on what can flow where. A compromise inside one zone cannot automatically reach systems in another.

VLANs (Virtual Local Area Networks) are the practical mechanism for doing this on a single physical network infrastructure. A VLAN assigns network traffic to a logical segment — identified by a VLAN ID — regardless of which physical switch port the device is plugged into. Traffic from VLAN 10 (servers) cannot reach VLAN 20 (staff workstations) unless a router or Layer 3 switch explicitly allows it.

Internet Perimeter Firewall Core Router / L3 Switch DMZ — VLAN 10 Web servers Mail relay Internet-facing Internal — VLAN 20 Staff workstations Internal tools No internet access Secure — VLAN 30 Databases Backup systems No direct inbound

Three-zone segmented network. Internet traffic hits the perimeter firewall first. Only DMZ traffic is internet-facing. Internal and Secure zones are isolated from each other and from the internet.

The DMZ — your public-facing buffer zone

The DMZ (Demilitarised Zone) is a network segment that sits between the internet and your internal network. Systems that need to be reachable from the internet — web servers, mail relays, public APIs — live in the DMZ. The internal network sits behind a second firewall. Even if an attacker fully compromises a DMZ server, they still face that internal firewall before they can reach anything sensitive.

The rules for a DMZ are strict: DMZ systems can receive connections from the internet. They can send responses back. They cannot initiate connections into the internal network. The internal network can initiate connections to DMZ systems for management purposes — but never the other way around. This one-directional trust is what makes the DMZ effective.

Goes in the DMZ

Public web servers, reverse proxies, mail relay servers, public-facing APIs, VPN endpoints, DNS resolvers for external queries.

Never goes in the DMZ

Databases, internal authentication servers, backup systems, HR or finance systems, internal admin tools, domain controllers.

Zero Trust — don't trust the network

Traditional network security assumed that traffic inside the network perimeter was trustworthy. If you got past the perimeter firewall, you were in — and once in, you could move relatively freely. Zero Trust rejects this assumption entirely.

Zero Trust operates on one principle: never trust, always verify. Every request — whether it comes from inside the network or outside — must be authenticated, authorised, and validated before access is granted. Being on the corporate network doesn't mean you're trusted. Being a known device doesn't mean you're trusted without current authentication. Every access decision is made individually, every time.

Why Zero Trust matters now

The traditional perimeter model assumed your employees were inside the building on your network. Remote work, cloud services, BYOD, and contractor access have destroyed that assumption. When 40% of your workforce is working from coffee shops, home networks, and airport lounges — and your applications live in AWS rather than a data centre — there is no meaningful perimeter to defend. Zero Trust is the architectural response to that reality.

Configuring VLANs in practice

On a Linux host, VLANs are configured using the ip command and the 8021q kernel module. This is how you'd create VLAN-tagged interfaces on a server or a Linux-based router — the same concept applies whether you're configuring a physical switch or a virtual network in a cloud environment.

# Load the 802.1Q VLAN kernel module
sudo modprobe 8021q

# Make it load automatically on boot
echo "8021q" | sudo tee -a /etc/modules

# Create a VLAN interface on eth0 for VLAN ID 10 (DMZ)
sudo ip link add link eth0 name eth0.10 type vlan id 10

# Create a VLAN interface on eth0 for VLAN ID 20 (Internal)
sudo ip link add link eth0 name eth0.20 type vlan id 20

# Assign IP addresses to each VLAN interface
sudo ip addr add 10.0.10.1/24 dev eth0.10
sudo ip addr add 10.0.20.1/24 dev eth0.20

# Bring both interfaces up
sudo ip link set eth0.10 up
sudo ip link set eth0.20 up

# Verify the interfaces are configured correctly
ip -d link show eth0.10
ip addr show

# Block traffic between VLAN 10 and VLAN 20 at the firewall level
# (VLAN isolation at the network layer prevents lateral movement)
sudo iptables -I FORWARD -i eth0.10 -o eth0.20 -j DROP
sudo iptables -I FORWARD -i eth0.20 -o eth0.10 -j DROP
# ip -d link show eth0.10
3: eth0.10@eth0:  mtu 1500 qdisc noqueue state UP mode DEFAULT
    link/ether 00:1a:2b:3c:4d:5e brd ff:ff:ff:ff:ff:ff promiscuity 0
    vlan protocol 802.1Q id 10 

# ip addr show (abbreviated)
2: eth0:  mtu 1500 state UP
    inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
3: eth0.10@eth0:  mtu 1500 state UP
    inet 10.0.10.1/24 brd 10.0.10.255 scope global eth0.10
4: eth0.20@eth0:  mtu 1500 state UP
    inet 10.0.20.1/24 brd 10.0.20.255 scope global eth0.20

# iptables -L FORWARD -v -n after applying the drop rules
Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target  prot opt in       out      source     destination
1        0     0 DROP    all  --  eth0.10  eth0.20  0.0.0.0/0  0.0.0.0/0
2        0     0 DROP    all  --  eth0.20  eth0.10  0.0.0.0/0  0.0.0.0/0

What just happened

Two VLAN-tagged interfaces — eth0.10 and eth0.20 — sitting on top of the same physical interface eth0 but on completely separate IP subnets. The FORWARD chain DROP rules enforce that nothing can cross between them — traffic from VLAN 10 heading to VLAN 20 is dropped at the kernel level, and vice versa. An attacker who compromises a system on the DMZ subnet (10.0.10.x) cannot directly reach anything on the internal subnet (10.0.20.x). They hit the DROP rule first.

How attackers perform lateral movement

Once inside a network, attackers use a predictable playbook. Understanding it helps you design architecture that breaks each step.

1. Reconnaissance — mapping the internal network

From the compromised machine, the attacker runs arp -a, nmap, or similar tools to discover other hosts on the same subnet. On a flat network this immediately reveals everything. On a segmented network, they can only see hosts in the same VLAN — the rest is invisible.

2. Credential harvesting — collecting passwords to move with

Tools like Mimikatz extract cached credentials from Windows memory. SSH keys stored on compromised servers are reused to authenticate to other servers. Service accounts with the same password across multiple systems become master keys. Unique credentials per system and per service directly limit this.

3. Pivoting — using compromised hosts as relay points

If a compromised DMZ server can reach the internal network, the attacker routes their traffic through it — using it as a jump host to reach systems the attacker couldn't access directly. Strict VLAN-to-VLAN firewall rules that deny all traffic by default make this dramatically harder.

4. Privilege escalation — reaching admin access

The goal is always to reach a domain controller, a database with all credentials, or a system with backup access. Network architecture can't stop privilege escalation on a single host — but it can prevent the escalated privileges from being used to reach the systems that matter most.

Instructor's Note

The question to ask about every system in your network is: if this machine were fully compromised right now, what else could the attacker reach from it? Draw that map. Every connection you find that doesn't need to exist is a lateral movement path you can close. This exercise — sometimes called a blast radius analysis — is one of the most useful things you can do with an afternoon and a network diagram.

Practice Questions

After compromising one machine inside a flat network, an attacker pivots to reach a database server on the same segment. What is this technique called? (two words)




What is the name of the network zone where internet-facing servers like web servers and mail relays should be placed — separated from the internal network by a firewall?




What is the core operating principle of Zero Trust architecture? (four words)



Quiz

Why does network segmentation reduce the damage from a breach?



What is the key traffic rule that makes a DMZ effective?



Why has Zero Trust become necessary in modern environments?


Up Next · Lesson 17

Application Security Basics

How vulnerabilities get introduced at the code level — input validation, authentication flaws, insecure dependencies, and the developer habits that prevent them.

← Previous Course Index Next →